Securing your OpenSSH server in Linux

Secure Shell (SSH) is a
program used to secure communication between two entities, often used as a
replacement for Telnet and the Berkeley protocols such as remote shell (RSH)
and remote login (Rlogin). SSH is also used as a secure remote copy utility, replacing
traditional protocols such as the File Transfer Protocol (FTP) and Remote Copy
Protocol (RCP).

For this tutorial, we are
going to demonstrate steps on securing yourOpenSSH Server which
is a free version of the SSH protocol suite.

Note: Steps 1-9 can be
done by tweaking your sshd_config and do ssh service restart after
changes to take effect.

1.Use SSH Protocol 2

Use SSH version 2 (SSH2) only as it offers more performance, flexibility and
security than SSH1.

-To verify what SSH protocol version you are running, check your
/etc/ssh/sshd_config and look for the line “Protocol”,

By default, sshd will allow a connected user that has not begun the
authentication process for a period 2 minutes (120 secs) for a grace time. It’s
recommended to shorten this time to protect from brute force attacks.

LoginGraceTime
30

8. Change ssh port number

The advantage of this is somehow protects your box against automated attacks or
malicious scripts that is trying to get in via ssh default port 22.

Port
35286

9.Limit or Permit only specific users or groups to login

All users by default is allowed to access your box. But you have the options to
allow or deny few users or groups. This can be done in either of this way.

#[AllowUsers]

AllowUsers
darwin tux

OR

#[DenyUsers]

DenyUsers
user1 user2

DenyGroups
group1 group2 group3

10.Update OpenSSH & OS

Make sure your Linux system is running the latest version for OpenSSH. SSH
package version depends on your Linux distribution & OS version. Your
distro will use the best or stable version for any packages, so if you want to
upgrade to another version, you can do this via source package installation. It
can be downloaded on OpenSSH official sitehttp://www.openssh.com. Alternatively, you can do it by
installing the latest rpm package or changing your repository, then use the
yum.

For instance, if you are
running CentOS 5.8 to check the current installed package and verify if there’s
update, tr the following:

It’s good to have your servers protected by hardwares or appliances such as
security appliances, PIX, ASA etc. that will added more protection such as
limiting TCP connections esp. on preventing dictionary attacks.

If you don’t have this, it’s a good thing this can be done also from your Linux
server using iptables.